CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Log
FILE Extraction 2019-02-11 19:47:53 2019-02-11 19:49:15 82 seconds Show Log
2019-02-11 19:47:54,000 [root] INFO: Date set to: 02-11-19, time set to: 19:47:54, timeout set to: 60
2019-02-11 19:47:54,062 [root] DEBUG: Starting analyzer from: C:\xpeihypzec
2019-02-11 19:47:54,062 [root] DEBUG: Storing results at: C:\PNjDYhV
2019-02-11 19:47:54,062 [root] DEBUG: Pipe server name: \\.\PIPE\ADlzWjlmIu
2019-02-11 19:47:54,062 [root] INFO: Analysis package "Extraction" has been specified.
2019-02-11 19:47:55,371 [root] DEBUG: Started auxiliary module Browser
2019-02-11 19:47:55,371 [root] DEBUG: Started auxiliary module Curtain
2019-02-11 19:47:55,371 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-02-11 19:47:55,371 [root] DEBUG: Started auxiliary module DigiSig
2019-02-11 19:47:55,388 [root] DEBUG: Started auxiliary module Disguise
2019-02-11 19:47:55,388 [root] DEBUG: Started auxiliary module Human
2019-02-11 19:47:55,388 [root] DEBUG: Started auxiliary module Screenshots
2019-02-11 19:47:55,388 [root] DEBUG: Started auxiliary module Sysmon
2019-02-11 19:47:55,388 [root] DEBUG: Started auxiliary module Usage
2019-02-11 19:47:55,388 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-02-11 19:47:55,388 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-02-11 19:47:55,746 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe" with arguments "" with pid 928
2019-02-11 19:47:55,746 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:47:55,762 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpeihypzec\dll\AmMwmRID.dll, loader C:\xpeihypzec\bin\yuOXBRi.exe
2019-02-11 19:47:55,762 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 928
2019-02-11 19:47:57,775 [lib.api.process] INFO: Successfully resumed process with pid 928
2019-02-11 19:47:57,775 [root] INFO: Added new process to list with pid: 928
2019-02-11 19:47:57,775 [root] INFO: Enabled timeout enforce, running for the full timeout.
2019-02-11 19:47:57,852 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-02-11 19:47:57,852 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x160000
2019-02-11 19:47:57,852 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:47:57,884 [root] INFO: Monitor successfully loaded in process with pid 928.
2019-02-11 19:47:57,930 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x220000, RegionSize: 0x1a000.
2019-02-11 19:47:57,930 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x220000, AllocationSize: 0x1a000, ThreadId: 0x7a4
2019-02-11 19:47:57,930 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x220000 and Type=0x1.
2019-02-11 19:47:57,930 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x220000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:47:57,930 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x220000
2019-02-11 19:47:57,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,946 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x220000.
2019-02-11 19:47:57,946 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:47:57,946 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:47:57,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,946 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x220000.
2019-02-11 19:47:57,946 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:47:57,946 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x22003c and Type=0x1.
2019-02-11 19:47:57,946 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,946 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x22003c (EIP = 0x1342924)
2019-02-11 19:47:57,946 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:47:57,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,946 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:47:57,946 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x22003c.
2019-02-11 19:47:57,946 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x220080 and Type=0x1.
2019-02-11 19:47:57,946 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,946 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x220080 (EIP = 0x1342924)
2019-02-11 19:47:57,946 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:47:57,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,946 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x220080.
2019-02-11 19:47:57,946 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:47:57,946 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:47:57,946 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,961 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x220080.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2200a8 and Type=0x1.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,961 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1342924).
2019-02-11 19:47:57,961 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:47:57,961 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2200a8.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x22009f and Type=0x0.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x22009f (EIP = 0x1342924).
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:57,961 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2200a8.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x222e9f and Type=0x0.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x222e9f (EIP = 0x1342924).
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:57,961 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2200a8.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x222e9f and Type=0x0.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x222e9f (EIP = 0x1342924).
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:57,961 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2200a8.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x222e9f and Type=0x0.
2019-02-11 19:47:57,961 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x222e9f (EIP = 0x1342924).
2019-02-11 19:47:57,961 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:57,977 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x490000, RegionSize: 0x18000.
2019-02-11 19:47:57,977 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x220000.
2019-02-11 19:47:57,977 [root] DEBUG: DumpPEsInRange: Scanning range 0x220000 - 0x23a000.
2019-02-11 19:47:57,977 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x220000
2019-02-11 19:47:57,977 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:57,977 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x220000
2019-02-11 19:47:57,977 [root] DEBUG: DumpProcess: Module entry point VA is 0x222e9f
2019-02-11 19:47:57,977 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\928_9785727512222019
2019-02-11 19:47:57,977 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:57,977 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x220000.
2019-02-11 19:47:57,977 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x220001-0x23a000.
2019-02-11 19:47:57,977 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 19:47:57,977 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x220000 - 0x23a000.
2019-02-11 19:47:57,977 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2200a8.
2019-02-11 19:47:57,977 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x222e9f.
2019-02-11 19:47:57,977 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x490000, AllocationSize: 0x18000, ThreadId: 0x7a4
2019-02-11 19:47:57,977 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x490000 and Type=0x1.
2019-02-11 19:47:57,977 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x490000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:47:57,993 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x490000
2019-02-11 19:47:57,993 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2228fb
2019-02-11 19:47:57,993 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x490000.
2019-02-11 19:47:57,993 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x490000: 0x0.
2019-02-11 19:47:57,993 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x490000 and Type=0x0.
2019-02-11 19:47:57,993 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:57,993 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x490000, AllocationBaseExecBpSet = 1 (EIP = 0x2228fb)
2019-02-11 19:47:57,993 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:47:57,993 [root] DEBUG: ProtectionHandler: Address: 0x471000, RegionSize: 0x10000
2019-02-11 19:47:57,993 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x490000.
2019-02-11 19:47:57,993 [root] DEBUG: DumpPEsInRange: Scanning range 0x470000 - 0x480000.
2019-02-11 19:47:57,993 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x470000
2019-02-11 19:47:57,993 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:57,993 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x470000
2019-02-11 19:47:57,993 [root] DEBUG: DumpProcess: Module entry point VA is 0x47f5e0
2019-02-11 19:47:57,993 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\928_9935727512222019
2019-02-11 19:47:57,993 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:57,993 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x470000.
2019-02-11 19:47:57,993 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x470001-0x480000.
2019-02-11 19:47:58,009 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:47:58,009 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x490000 - 0x4a8000.
2019-02-11 19:47:58,009 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x490000.
2019-02-11 19:47:58,009 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x490000.
2019-02-11 19:47:58,009 [root] DEBUG: DumpPEsInRange: Scanning range 0x470000 - 0x480000.
2019-02-11 19:47:58,009 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x470000
2019-02-11 19:47:58,009 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:58,009 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x470000
2019-02-11 19:47:58,009 [root] DEBUG: DumpProcess: Module entry point VA is 0x47f5e0
2019-02-11 19:47:58,009 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\928_95827512222019
2019-02-11 19:47:58,009 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:58,009 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x470000.
2019-02-11 19:47:58,009 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x470001-0x480000.
2019-02-11 19:47:58,009 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 19:47:58,009 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0x471000 and Type=0x0.
2019-02-11 19:47:58,009 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x471000, size 0 with Callback 0x74e62e90, ThreadHandle = 0xb8.
2019-02-11 19:47:58,009 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x471000, AllocationBaseExecBpSet = 1
2019-02-11 19:47:58,023 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x471000
2019-02-11 19:47:58,023 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x471000.
2019-02-11 19:47:58,023 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x470000, size 0x11000).
2019-02-11 19:47:58,023 [root] DEBUG: DumpPEsInRange: Scanning range 0x470000 - 0x481000.
2019-02-11 19:47:58,023 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x470000
2019-02-11 19:47:58,023 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:58,023 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x470000
2019-02-11 19:47:58,023 [root] DEBUG: DumpProcess: Module entry point VA is 0x47f5e0
2019-02-11 19:47:58,023 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\928_245827512222019
2019-02-11 19:47:58,023 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:58,023 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x470000.
2019-02-11 19:47:58,023 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x470001-0x481000.
2019-02-11 19:47:58,023 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 19:47:58,023 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:47:58,055 [root] INFO: Announced 32-bit process name: qep3B9WOJEjqG1.exe pid: 1584
2019-02-11 19:47:58,055 [root] INFO: Added new process to list with pid: 1584
2019-02-11 19:47:58,055 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:47:58,055 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpeihypzec\dll\AmMwmRID.dll, loader C:\xpeihypzec\bin\yuOXBRi.exe
2019-02-11 19:47:58,134 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1584
2019-02-11 19:47:58,134 [root] INFO: Disabling sleep skipping.
2019-02-11 19:47:58,134 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-02-11 19:47:58,134 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xb0000
2019-02-11 19:47:58,134 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:47:58,134 [root] INFO: Disabling sleep skipping.
2019-02-11 19:47:58,134 [root] INFO: Monitor successfully loaded in process with pid 1584.
2019-02-11 19:47:58,148 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x2e0000, RegionSize: 0x1a000.
2019-02-11 19:47:58,148 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x2e0000, AllocationSize: 0x1a000, ThreadId: 0x5bc
2019-02-11 19:47:58,148 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x2e0000 and Type=0x1.
2019-02-11 19:47:58,148 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x2e0000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:47:58,148 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x2e0000
2019-02-11 19:47:58,148 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,148 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2e0000.
2019-02-11 19:47:58,148 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:47:58,148 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:47:58,148 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,148 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x2e0000.
2019-02-11 19:47:58,148 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:47:58,148 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2e003c and Type=0x1.
2019-02-11 19:47:58,148 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,148 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x2e003c (EIP = 0x1342924)
2019-02-11 19:47:58,148 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:47:58,148 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,148 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:47:58,148 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x2e003c.
2019-02-11 19:47:58,148 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2e0080 and Type=0x1.
2019-02-11 19:47:58,148 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,148 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x2e0080 (EIP = 0x1342924)
2019-02-11 19:47:58,148 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:47:58,148 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,148 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2e0080.
2019-02-11 19:47:58,148 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:47:58,148 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:47:58,148 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,148 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x2e0080.
2019-02-11 19:47:58,148 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x2e00a8 and Type=0x1.
2019-02-11 19:47:58,148 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,164 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1342924).
2019-02-11 19:47:58,164 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:47:58,164 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e009f and Type=0x0.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x2e009f (EIP = 0x1342924).
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:58,164 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e2e9f and Type=0x0.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2e2e9f (EIP = 0x1342924).
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:58,164 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e2e9f and Type=0x0.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2e2e9f (EIP = 0x1342924).
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:58,164 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x2e00a8.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x2e2e9f and Type=0x0.
2019-02-11 19:47:58,164 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,164 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x2e2e9f (EIP = 0x1342924).
2019-02-11 19:47:58,180 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:47:58,180 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x360000, RegionSize: 0x18000.
2019-02-11 19:47:58,180 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x2e0000.
2019-02-11 19:47:58,180 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e0000 - 0x2fa000.
2019-02-11 19:47:58,180 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2e0000
2019-02-11 19:47:58,180 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:58,180 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2e0000
2019-02-11 19:47:58,180 [root] DEBUG: DumpProcess: Module entry point VA is 0x2e2e9f
2019-02-11 19:47:58,180 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1584_1805827512222019
2019-02-11 19:47:58,180 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:58,180 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x2e0000.
2019-02-11 19:47:58,180 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e0001-0x2fa000.
2019-02-11 19:47:58,180 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 19:47:58,180 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e0000 - 0x2fa000.
2019-02-11 19:47:58,180 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2e00a8.
2019-02-11 19:47:58,180 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x2e2e9f.
2019-02-11 19:47:58,180 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x360000, AllocationSize: 0x18000, ThreadId: 0x5bc
2019-02-11 19:47:58,180 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x360000 and Type=0x1.
2019-02-11 19:47:58,180 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x360000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:47:58,180 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x360000
2019-02-11 19:47:58,180 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2e28fb
2019-02-11 19:47:58,180 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x360000.
2019-02-11 19:47:58,196 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x360000: 0x0.
2019-02-11 19:47:58,196 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x360000 and Type=0x0.
2019-02-11 19:47:58,196 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:47:58,196 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x360000, AllocationBaseExecBpSet = 1 (EIP = 0x2e28fb)
2019-02-11 19:47:58,196 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:47:58,196 [root] DEBUG: ProtectionHandler: Address: 0x341000, RegionSize: 0x10000
2019-02-11 19:47:58,196 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x360000.
2019-02-11 19:47:58,196 [root] DEBUG: DumpPEsInRange: Scanning range 0x340000 - 0x350000.
2019-02-11 19:47:58,196 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x340000
2019-02-11 19:47:58,196 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:58,196 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x340000
2019-02-11 19:47:58,196 [root] DEBUG: DumpProcess: Module entry point VA is 0x34f5e0
2019-02-11 19:47:58,196 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1584_1965827512222019
2019-02-11 19:47:58,196 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:58,196 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x340000.
2019-02-11 19:47:58,196 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x340001-0x350000.
2019-02-11 19:47:58,196 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:47:58,196 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x360000 - 0x378000.
2019-02-11 19:47:58,196 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x360000.
2019-02-11 19:47:58,196 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x360000.
2019-02-11 19:47:58,211 [root] DEBUG: DumpPEsInRange: Scanning range 0x340000 - 0x350000.
2019-02-11 19:47:58,211 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x340000
2019-02-11 19:47:58,211 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:58,211 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x340000
2019-02-11 19:47:58,211 [root] DEBUG: DumpProcess: Module entry point VA is 0x34f5e0
2019-02-11 19:47:58,211 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1584_2125827512222019
2019-02-11 19:47:58,211 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:58,211 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x340000.
2019-02-11 19:47:58,211 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x340001-0x350000.
2019-02-11 19:47:58,211 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 19:47:58,211 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0x341000 and Type=0x0.
2019-02-11 19:47:58,211 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x341000, size 0 with Callback 0x74e62e90, ThreadHandle = 0xb8.
2019-02-11 19:47:58,211 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x341000, AllocationBaseExecBpSet = 1
2019-02-11 19:47:58,226 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x341000
2019-02-11 19:47:58,226 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x341000.
2019-02-11 19:47:58,226 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x340000, size 0x11000).
2019-02-11 19:47:58,226 [root] DEBUG: DumpPEsInRange: Scanning range 0x340000 - 0x351000.
2019-02-11 19:47:58,226 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x340000
2019-02-11 19:47:58,226 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:47:58,226 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x340000
2019-02-11 19:47:58,226 [root] DEBUG: DumpProcess: Module entry point VA is 0x34f5e0
2019-02-11 19:47:58,226 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1584_2275827512222019
2019-02-11 19:47:58,226 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:47:58,226 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x340000.
2019-02-11 19:47:58,226 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x340001-0x351000.
2019-02-11 19:47:58,226 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 19:47:58,226 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:47:58,226 [root] INFO: Notified of termination of process with pid 928.
2019-02-11 19:48:04,608 [root] INFO: Announced starting service "dafpanes"
2019-02-11 19:48:04,608 [root] INFO: Attaching to Service Control Manager (services.exe - pid 464)
2019-02-11 19:48:04,608 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2019-02-11 19:48:04,622 [lib.api.process] INFO: 64-bit DLL to inject is C:\xpeihypzec\dll\fcCjsLs.dll, loader C:\xpeihypzec\bin\JLMGKukY.exe
2019-02-11 19:48:04,638 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-02-11 19:48:04,654 [root] DEBUG: Process dumps enabled.
2019-02-11 19:48:04,654 [root] INFO: Disabling sleep skipping.
2019-02-11 19:48:04,686 [root] WARNING: Unable to place hook on LockResource
2019-02-11 19:48:04,700 [root] WARNING: Unable to hook LockResource
2019-02-11 19:48:04,717 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 464 at 0x0000000074AD0000, image base 0x00000000FF330000, stack from 0x0000000002A56000-0x0000000002A60000
2019-02-11 19:48:04,717 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-02-11 19:48:04,717 [root] INFO: Added new process to list with pid: 464
2019-02-11 19:48:04,717 [root] INFO: Monitor successfully loaded in process with pid 464.
2019-02-11 19:48:05,700 [root] INFO: Announced 32-bit process name: dafpanes.exe pid: 1844
2019-02-11 19:48:05,700 [root] INFO: Added new process to list with pid: 1844
2019-02-11 19:48:05,700 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:48:05,700 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpeihypzec\dll\AmMwmRID.dll, loader C:\xpeihypzec\bin\yuOXBRi.exe
2019-02-11 19:48:05,700 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1844
2019-02-11 19:48:05,730 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-02-11 19:48:05,746 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xb0000
2019-02-11 19:48:05,746 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:48:05,762 [root] INFO: Disabling sleep skipping.
2019-02-11 19:48:05,778 [root] INFO: Monitor successfully loaded in process with pid 1844.
2019-02-11 19:48:05,792 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x1e0000, RegionSize: 0x1a000.
2019-02-11 19:48:05,792 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x1e0000, AllocationSize: 0x1a000, ThreadId: 0x5c0
2019-02-11 19:48:05,792 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x1e0000 and Type=0x1.
2019-02-11 19:48:05,792 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x1e0000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:48:05,809 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x1e0000
2019-02-11 19:48:05,809 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:05,809 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-02-11 19:48:05,809 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:48:05,823 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:48:05,823 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:05,839 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x1e0000.
2019-02-11 19:48:05,839 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:48:05,855 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1e003c and Type=0x1.
2019-02-11 19:48:05,855 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:05,871 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x1e003c (EIP = 0x1342924)
2019-02-11 19:48:05,871 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:48:05,887 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:05,887 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:48:05,917 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x1e003c.
2019-02-11 19:48:05,917 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1e0080 and Type=0x1.
2019-02-11 19:48:05,917 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:05,917 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x1e0080 (EIP = 0x1342924)
2019-02-11 19:48:05,917 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:48:05,917 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:05,917 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1e0080.
2019-02-11 19:48:05,917 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:48:05,948 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:48:05,948 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:05,964 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x1e0080.
2019-02-11 19:48:05,964 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x1e00a8 and Type=0x1.
2019-02-11 19:48:05,964 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:05,964 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1342924).
2019-02-11 19:48:05,980 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:48:05,980 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,012 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00a8.
2019-02-11 19:48:06,012 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e009f and Type=0x0.
2019-02-11 19:48:06,012 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,012 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x1e009f (EIP = 0x1342924).
2019-02-11 19:48:06,026 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:06,026 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,026 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00a8.
2019-02-11 19:48:06,026 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e2e9f and Type=0x0.
2019-02-11 19:48:06,026 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,026 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1e2e9f (EIP = 0x1342924).
2019-02-11 19:48:06,026 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:06,042 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,042 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00a8.
2019-02-11 19:48:06,042 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e2e9f and Type=0x0.
2019-02-11 19:48:06,042 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,042 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1e2e9f (EIP = 0x1342924).
2019-02-11 19:48:06,042 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:06,042 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,042 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x1e00a8.
2019-02-11 19:48:06,042 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x1e2e9f and Type=0x0.
2019-02-11 19:48:06,058 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,058 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x1e2e9f (EIP = 0x1342924).
2019-02-11 19:48:06,073 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:06,105 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x680000, RegionSize: 0x18000.
2019-02-11 19:48:06,105 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x1e0000.
2019-02-11 19:48:06,105 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1fa000.
2019-02-11 19:48:06,121 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1e0000
2019-02-11 19:48:06,121 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:06,135 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x1e0000
2019-02-11 19:48:06,135 [root] DEBUG: DumpProcess: Module entry point VA is 0x1e2e9f
2019-02-11 19:48:06,167 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1844_136628512222019
2019-02-11 19:48:06,167 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:06,167 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x1e0000.
2019-02-11 19:48:06,167 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e0001-0x1fa000.
2019-02-11 19:48:06,167 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 19:48:06,167 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1e0000 - 0x1fa000.
2019-02-11 19:48:06,167 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x1e00a8.
2019-02-11 19:48:06,167 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x1e2e9f.
2019-02-11 19:48:06,198 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x680000, AllocationSize: 0x18000, ThreadId: 0x5c0
2019-02-11 19:48:06,198 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x680000 and Type=0x1.
2019-02-11 19:48:06,213 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x680000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:48:06,230 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x680000
2019-02-11 19:48:06,246 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1e28fb
2019-02-11 19:48:06,246 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x680000.
2019-02-11 19:48:06,260 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x680000: 0x0.
2019-02-11 19:48:06,260 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x680000 and Type=0x0.
2019-02-11 19:48:06,292 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,292 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0x680000, AllocationBaseExecBpSet = 1 (EIP = 0x1e28fb)
2019-02-11 19:48:06,292 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:48:06,292 [root] DEBUG: ProtectionHandler: Address: 0x201000, RegionSize: 0x10000
2019-02-11 19:48:06,292 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0x680000.
2019-02-11 19:48:06,292 [root] DEBUG: DumpPEsInRange: Scanning range 0x200000 - 0x210000.
2019-02-11 19:48:06,292 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x200000
2019-02-11 19:48:06,308 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:06,323 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x200000
2019-02-11 19:48:06,323 [root] DEBUG: DumpProcess: Module entry point VA is 0x20f5e0
2019-02-11 19:48:06,338 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1844_324628512222019
2019-02-11 19:48:06,338 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:06,338 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x200000.
2019-02-11 19:48:06,355 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x200001-0x210000.
2019-02-11 19:48:06,355 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:48:06,355 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x680000 - 0x698000.
2019-02-11 19:48:06,369 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x680000.
2019-02-11 19:48:06,369 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x680000.
2019-02-11 19:48:06,369 [root] DEBUG: DumpPEsInRange: Scanning range 0x200000 - 0x210000.
2019-02-11 19:48:06,369 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x200000
2019-02-11 19:48:06,369 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:06,369 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x200000
2019-02-11 19:48:06,369 [root] DEBUG: DumpProcess: Module entry point VA is 0x20f5e0
2019-02-11 19:48:06,369 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1844_370628512222019
2019-02-11 19:48:06,369 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:06,417 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x200000.
2019-02-11 19:48:06,417 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x200001-0x210000.
2019-02-11 19:48:06,417 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 19:48:06,447 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0x201000 and Type=0x0.
2019-02-11 19:48:06,447 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x201000, size 0 with Callback 0x74e62e90, ThreadHandle = 0xb8.
2019-02-11 19:48:06,463 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0x201000, AllocationBaseExecBpSet = 1
2019-02-11 19:48:06,480 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x201000
2019-02-11 19:48:06,510 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x201000.
2019-02-11 19:48:06,510 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x200000, size 0x11000).
2019-02-11 19:48:06,510 [root] DEBUG: DumpPEsInRange: Scanning range 0x200000 - 0x211000.
2019-02-11 19:48:06,510 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x200000
2019-02-11 19:48:06,510 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:06,542 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x200000
2019-02-11 19:48:06,542 [root] DEBUG: DumpProcess: Module entry point VA is 0x20f5e0
2019-02-11 19:48:06,542 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1844_998122612222019
2019-02-11 19:48:06,542 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:06,572 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x200000.
2019-02-11 19:48:06,588 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x200001-0x211000.
2019-02-11 19:48:06,604 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 19:48:06,635 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:48:06,667 [root] INFO: Announced 32-bit process name: dafpanes.exe pid: 1544
2019-02-11 19:48:06,667 [root] INFO: Added new process to list with pid: 1544
2019-02-11 19:48:06,667 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-02-11 19:48:06,667 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpeihypzec\dll\AmMwmRID.dll, loader C:\xpeihypzec\bin\yuOXBRi.exe
2019-02-11 19:48:06,667 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1544
2019-02-11 19:48:06,681 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-02-11 19:48:06,681 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x130000
2019-02-11 19:48:06,681 [root] DEBUG: CAPE initialised (32-bit).
2019-02-11 19:48:06,681 [root] INFO: Disabling sleep skipping.
2019-02-11 19:48:06,681 [root] INFO: Monitor successfully loaded in process with pid 1544.
2019-02-11 19:48:06,697 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0x8e0000, RegionSize: 0x1a000.
2019-02-11 19:48:06,713 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0x8e0000, AllocationSize: 0x1a000, ThreadId: 0x24c
2019-02-11 19:48:06,729 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0x8e0000 and Type=0x1.
2019-02-11 19:48:06,729 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0x8e0000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:48:06,729 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0x8e0000
2019-02-11 19:48:06,729 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,744 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x8e0000.
2019-02-11 19:48:06,744 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2019-02-11 19:48:06,744 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:48:06,744 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,759 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x8e0000.
2019-02-11 19:48:06,759 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-02-11 19:48:06,776 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x8e003c and Type=0x1.
2019-02-11 19:48:06,776 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,776 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x8e003c (EIP = 0x1342924)
2019-02-11 19:48:06,792 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:48:06,792 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,792 [root] DEBUG: PEPointerWriteCallback entry.
2019-02-11 19:48:06,792 [root] DEBUG: PEPointerWriteCallback: Breakpoint 0 at Address 0x8e003c.
2019-02-11 19:48:06,806 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x8e0080 and Type=0x1.
2019-02-11 19:48:06,822 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,822 [root] DEBUG: PEPointerWriteCallback: set write bp on e_lfanew write location 0x8e0080 (EIP = 0x1342924)
2019-02-11 19:48:06,838 [root] DEBUG: PEPointerWriteCallback executed successfully.
2019-02-11 19:48:06,838 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,854 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x8e0080.
2019-02-11 19:48:06,869 [root] DEBUG: PEHeaderWriteCallback: PE header has: 0x50.
2019-02-11 19:48:06,869 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:48:06,869 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,884 [root] DEBUG: PEHeaderWriteCallback: Breakpoint 0 at Address 0x8e0080.
2019-02-11 19:48:06,884 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x4, Address=0x8e00a8 and Type=0x1.
2019-02-11 19:48:06,901 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,915 [root] DEBUG: PEHeaderWriteCallback: set write bp on AddressOfEntryPoint location (EIP = 0x1342924).
2019-02-11 19:48:06,915 [root] DEBUG: PEHeaderWriteCallback executed successfully.
2019-02-11 19:48:06,915 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,947 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x8e00a8.
2019-02-11 19:48:06,947 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x8e009f and Type=0x0.
2019-02-11 19:48:06,947 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:06,963 [root] DEBUG: EntryPointWriteCallback: Execution bp 1 set on EntryPoint 0x8e009f (EIP = 0x1342924).
2019-02-11 19:48:06,979 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:06,979 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:06,993 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x8e00a8.
2019-02-11 19:48:06,993 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x8e2e9f and Type=0x0.
2019-02-11 19:48:07,009 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:07,040 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x8e2e9f (EIP = 0x1342924).
2019-02-11 19:48:07,040 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:07,040 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:07,040 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x8e00a8.
2019-02-11 19:48:07,040 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x8e2e9f and Type=0x0.
2019-02-11 19:48:07,040 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:07,040 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x8e2e9f (EIP = 0x1342924).
2019-02-11 19:48:07,056 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:07,072 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x1342924
2019-02-11 19:48:07,088 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x8e00a8.
2019-02-11 19:48:07,088 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0x8e2e9f and Type=0x0.
2019-02-11 19:48:07,088 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:07,104 [root] DEBUG: EntryPointWriteCallback: Updated EntryPoint execution bp 1 to 0x8e2e9f (EIP = 0x1342924).
2019-02-11 19:48:07,104 [root] DEBUG: EntryPointWriteCallback executed successfully.
2019-02-11 19:48:07,104 [root] DEBUG: NtAllocateVirtualMemory hook, BaseAddress:0xa80000, RegionSize: 0x18000.
2019-02-11 19:48:07,104 [root] DEBUG: NtAllocateVirtualMemory hook: attempting CAPE dump on previous region: 0x8e0000.
2019-02-11 19:48:07,104 [root] DEBUG: DumpPEsInRange: Scanning range 0x8e0000 - 0x8fa000.
2019-02-11 19:48:07,104 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x8e0000
2019-02-11 19:48:07,134 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:07,150 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x8e0000
2019-02-11 19:48:07,150 [root] DEBUG: DumpProcess: Module entry point VA is 0x8e2e9f
2019-02-11 19:48:07,150 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1544_150728512222019
2019-02-11 19:48:07,150 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:07,150 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x8e0000.
2019-02-11 19:48:07,165 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8e0001-0x8fa000.
2019-02-11 19:48:07,181 [root] DEBUG: NtAllocateVirtualMemory hook: PE image(s) detected and dumped.
2019-02-11 19:48:07,181 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x8e0000 - 0x8fa000.
2019-02-11 19:48:07,197 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x8e00a8.
2019-02-11 19:48:07,197 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x8e2e9f.
2019-02-11 19:48:07,197 [root] DEBUG: SetInitialWriteBreakpoint: AllocationBase: 0xa80000, AllocationSize: 0x18000, ThreadId: 0x24c
2019-02-11 19:48:07,197 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x2, Address=0xa80000 and Type=0x1.
2019-02-11 19:48:07,197 [root] DEBUG: SetBreakpoint: Set bp 0 type 1 at address 0xa80000, size 2 with Callback 0x74e63100, ThreadHandle = 0xb8.
2019-02-11 19:48:07,197 [root] DEBUG: SetInitialWriteBreakpoint: Breakpoint 0 set write on word at base address: 0xa80000
2019-02-11 19:48:07,197 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8e28fb
2019-02-11 19:48:07,197 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0xa80000.
2019-02-11 19:48:07,197 [root] DEBUG: BaseAddressWriteCallback: byte written to 0xa80000: 0x0.
2019-02-11 19:48:07,197 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x0, Address=0xa80000 and Type=0x0.
2019-02-11 19:48:07,227 [root] DEBUG: ContextSetBreakpoint: Call to ContextSetDebugRegister succeeded.
2019-02-11 19:48:07,227 [root] DEBUG: BaseAddressWriteCallback: Execution breakpoint 1 set base address: 0xa80000, AllocationBaseExecBpSet = 1 (EIP = 0x8e28fb)
2019-02-11 19:48:07,227 [root] DEBUG: BaseAddressWriteCallback executed successfully.
2019-02-11 19:48:07,227 [root] DEBUG: ProtectionHandler: Address: 0xa51000, RegionSize: 0x10000
2019-02-11 19:48:07,227 [root] DEBUG: ProtectionHandler: attempting CAPE dump on region: 0xa80000.
2019-02-11 19:48:07,227 [root] DEBUG: DumpPEsInRange: Scanning range 0xa50000 - 0xa60000.
2019-02-11 19:48:07,259 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xa50000
2019-02-11 19:48:07,259 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:07,275 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0xa50000
2019-02-11 19:48:07,275 [root] DEBUG: DumpProcess: Module entry point VA is 0xa5f5e0
2019-02-11 19:48:07,290 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1544_275728512222019
2019-02-11 19:48:07,290 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:07,305 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0xa50000.
2019-02-11 19:48:07,305 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xa50001-0xa60000.
2019-02-11 19:48:07,305 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-02-11 19:48:07,305 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xa80000 - 0xa98000.
2019-02-11 19:48:07,305 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0xa80000.
2019-02-11 19:48:07,322 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0xa80000.
2019-02-11 19:48:07,322 [root] DEBUG: DumpPEsInRange: Scanning range 0xa50000 - 0xa60000.
2019-02-11 19:48:07,322 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xa50000
2019-02-11 19:48:07,352 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:07,352 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0xa50000
2019-02-11 19:48:07,368 [root] DEBUG: DumpProcess: Module entry point VA is 0xa5f5e0
2019-02-11 19:48:07,368 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1544_369728512222019
2019-02-11 19:48:07,368 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:07,368 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0xa50000.
2019-02-11 19:48:07,368 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xa50001-0xa60000.
2019-02-11 19:48:07,368 [root] DEBUG: ProtectionHandler: Found and dumped PE image(s).
2019-02-11 19:48:07,368 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb8, Size=0x0, Address=0xa51000 and Type=0x0.
2019-02-11 19:48:07,368 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0xa51000, size 0 with Callback 0x74e62e90, ThreadHandle = 0xb8.
2019-02-11 19:48:07,384 [root] DEBUG: ProtectionHandler: Execution breakpoint 0 set base address: 0xa51000, AllocationBaseExecBpSet = 1
2019-02-11 19:48:07,384 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0xa51000
2019-02-11 19:48:07,400 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0xa51000.
2019-02-11 19:48:07,400 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0xa50000, size 0x11000).
2019-02-11 19:48:07,400 [root] DEBUG: DumpPEsInRange: Scanning range 0xa50000 - 0xa61000.
2019-02-11 19:48:07,400 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xa50000
2019-02-11 19:48:07,415 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-02-11 19:48:07,415 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0xa50000
2019-02-11 19:48:07,447 [root] DEBUG: DumpProcess: Module entry point VA is 0xa5f5e0
2019-02-11 19:48:07,447 [root] INFO: Added new CAPE file to list with path: C:\xpeihypzec\CAPE\1544_112292612222019
2019-02-11 19:48:07,461 [root] DEBUG: DumpProcess: Module image dump success
2019-02-11 19:48:07,461 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0xa50000.
2019-02-11 19:48:07,477 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xa50001-0xa61000.
2019-02-11 19:48:07,477 [root] DEBUG: MidPageExecCallback: PE image(s) detected and dumped.
2019-02-11 19:48:07,493 [root] DEBUG: MidPageExecCallback executed successfully.
2019-02-11 19:48:07,493 [root] INFO: Notified of termination of process with pid 1844.
2019-02-11 19:48:07,493 [root] WARNING: Unable to open termination event for pid 1844.
2019-02-11 19:48:07,493 [root] INFO: Notified of termination of process with pid 1584.
2019-02-11 19:48:57,601 [root] INFO: Analysis timeout hit (60 seconds), terminating analysis.
2019-02-11 19:48:57,601 [root] INFO: Created shutdown mutex.
2019-02-11 19:48:58,615 [root] INFO: Setting terminate event for process 1544.
2019-02-11 19:48:59,130 [root] INFO: Shutting down package.
2019-02-11 19:48:59,130 [root] INFO: Stopping auxiliary modules.
2019-02-11 19:48:59,130 [root] INFO: Finishing auxiliary modules.
2019-02-11 19:48:59,130 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-02-11 19:48:59,130 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2019-02-11 19:47:54 2019-02-11 19:49:13

File Details

File Name 4a2b2437814089607b287659cca2f9d82d5b7e3b5bd745f0c1c225cffd3dd83b
File Size 278528 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 05f2b36b1b902f5d55b48af6bfb9714c
SHA1 ba59b4b7b45d0eec8d5a48ca1b6694775eb75311
SHA256 4a2b2437814089607b287659cca2f9d82d5b7e3b5bd745f0c1c225cffd3dd83b
SHA512 6b6edae5b96e95ca14ada76261341b2e454f6c6dddd7be52f5aa67c18dd2bedbb0a090b012fadb48b658b9ed6b1649ace4b0c21e1ea919e76a046731680ef2ce
CRC32 BEC7CD43
Ssdeep 3072:K0GSuyj6pb6MK0K3LmABJU7xX8i9CgkvD40+q3cWTrNdas60YvZdLqk5O:YSuM6pbnHK3aAQ7y0+c0Rps0kdL5
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 928 trigged the Yara rule 'Emotet'
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/LoadImageA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/LoadCursorA
DynamicLoader: USER32.dll/LoadIconA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetBinaryTypeW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/LoadImageA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/LoadCursorA
DynamicLoader: USER32.dll/LoadIconA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/GetBinaryTypeW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/LoadImageA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/LoadCursorA
DynamicLoader: USER32.dll/LoadIconA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetBinaryTypeW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/LoadImageA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/LoadCursorA
DynamicLoader: USER32.dll/LoadIconA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Expresses interest in specific running processes
process: dafpanes.exe
process: qep3B9WOJEjqG1.exe
The binary likely contains encrypted or compressed data.
section: name: .rdata, entropy: 7.76, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0001b000, virtual_size: 0x0001ae0c
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier
Installs itself for autorun at Windows startup
service name: dafpanes
service path: "C:\Windows\SysWOW64\dafpanes.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\dafpanes.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\dafpanes.exe

Screenshots


Hosts

Direct IP Country Name
Y 69.170.237.82 [VT] United States
Y 181.164.25.28 [VT] Argentina

DNS

No domains contacted.


Summary

C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Windows\SysWOW64\compareiface.exe
C:\Windows\
C:\Windows\SysWOW64\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\dafpanes.exe
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
\??\MountPointManager
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier
C:\Windows\Temp
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\tzres.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\SysWOW64\dafpanes.exe
C:\Windows\SysWOW64\compareiface.exe
C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
C:\Windows\SysWOW64\dafpanes.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\qep3B9WOJEjqG1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\qep3B9WOJEjqG1.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\qep3B9WOJEjqG1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\Environment
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dafpanes\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dafpanes_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.GetBinaryTypeW
kernel32.dll.VirtualAlloc
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
gdi32.dll.GetStockObject
user32.dll.ShowWindow
user32.dll.DefWindowProcA
user32.dll.CreateWindowExA
user32.dll.RegisterClassExA
user32.dll.LoadImageA
user32.dll.GetSystemMetrics
user32.dll.LoadCursorA
user32.dll.LoadIconA
user32.dll.GetMessageA
user32.dll.DispatchMessageA
user32.dll.TranslateMessage
user32.dll.wsprintfA
user32.dll.UpdateWindow
kernel32.dll.FreeConsole
kernel32.dll.GetCurrentProcessId
kernel32.dll.HeapFree
kernel32.dll.lstrcmpA
kernel32.dll.HeapAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.GetTickCount
kernel32.dll.lstrcmpW
kernel32.dll.lstrlenW
kernel32.dll.GetCurrentProcess
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptEncrypt
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
"C:\Windows\SysWOW64\dafpanes.exe"
PEM5E8
PEM3A0
Global\IA4889F95
Global\MA4889F95
PEM1D0
PEM734
IESQMMUTEX_0_208
dafpanes
dafpanes

PE Information

Image Base 0x00400000
Entry Point 0x0040265b
Reported Checksum 0x00000000
Actual Checksum 0x0004b08c
Minimum OS Version 6.0
PDB Path YmAGxf1R..pdb
Compile Time 2019-02-11 19:42:17
Import Hash 0c67c751b832376593210b2a6dfd1042

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000030d8 0x00004000 IMAGE_SCN_TYPE_NO_PAD|IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_LNK_INFO|IMAGE_SCN_LNK_REMOVE|IMAGE_SCN_GPREL|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.60
.rdata 0x00005000 0x0001ae0c 0x0001b000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.76
.data 0x00020000 0x00002100 0x00001000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_LNK_COMDAT|IMAGE_SCN_NO_DEFER_SPEC_EXC|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.30
.s2u 0x00023000 0x00021190 0x00022000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.31
.reloc 0x00045000 0x000001e8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 1.15

Imports

Library USER32.dll:
0x405050 GetFocus
0x405054 EnableScrollBar
0x405058 GetKeyboardType
0x40505c GetTopWindow
0x405064 GetClassNameW
Library WINSPOOL.DRV:
Library KERNEL32.dll:
0x405010 GetCurrentProcessId
0x405014 GetCommandLineW
0x405018 GetVersion
0x40501c CloseHandle
0x405020 UnlockFileEx
0x405024 TlsGetValue
0x405028 ZombifyActCtx
0x40502c WaitForSingleObject
0x405030 Thread32First
0x405034 HeapCompact
0x40503c GetLargePageMinimum
Library SHLWAPI.dll:
0x405048 GetMenuPosFromID
Library ADVAPI32.dll:
0x405000 IsTokenRestricted
Library GDI32.dll:
Library VERSION.dll:

.text
`.rdata
@.data
@.reloc
CUqP#jB
AugustGsimilarsforthe0zOmnibox
andaheadVoofPhavemikewas
masterWebKit,ohackerssetmessageon
andf4
xu300andO4fixed8
GChrome7or1269R9memoryis
Major.minortrackingwebmost
0orNovemberthezQ79
Chromesupport9QtheVgThemesB
releasethroughsodinterfacerather6useprocedure
afterTweetDeckwOgassembledOj
9LBD0devftheNj
in4XaAMozillaspeed.326Y
xdiedX
v2nreplacementbasedXinH5PointJavaScriptECMAScript
ntdll.dll
YmAGxf1R..pdb
GetClassNameW
SetMenuContextHelpId
EnableScrollBar
GetFocus
GetKeyboardType
GetTopWindow
USER32.dll
DeletePrinterConnectionW
WINSPOOL.DRV
UnlockFileEx
TlsGetValue
ZombifyActCtx
WaitForSingleObject
Thread32First
HeapCompact
UnregisterApplicationRestart
GetLargePageMinimum
GetTimeZoneInformation
GetCommandLineW
GetCurrentProcessId
GetVersion
CloseHandle
KERNEL32.dll
GetMenuPosFromID
SHLWAPI.dll
IsTokenRestricted
ADVAPI32.dll
GetTextExtentExPointW
GDI32.dll
GetFileVersionInfoSizeA
VERSION.dll
(article:bwK26260enginelanguages,eachX
ration de |1 en cours.
<inconnu>
ponse '%1!ls!'
plusieurs fois
: '%1!ls!'
mes de compilation, y compris/le contenu de tous les fichiers de code source.
rence de l'assembly '%1!ls!'<Ajout du fichier de ressources '%1!ls!' en tant que '%2!ls!'
rence au module '%1!ls!'
E UNIQUEMENT -
<string>
un assembly.
rite de System.Windows.Forms.Form.
e. resinfo:<fichier>[,<nom>[,public|private]]
cifie un fichier de ressources Win32 (.res).
Activer les optimisations.
claration explicite des variables obligatoire.(Appliquer une syntaxe de langue stricte.
que ou un module (hex).
de nom fort.
veloppement .NET Framework SDK (mscorlib.dll).
riter de 'System.|1' n'est pas valide.
thodes.
nements de la classe de base.3Try doit utiliser au moins un 'Catch' ou 'Finally'.
tres ParamArray et Optional.
s avec 'New'.
re occurrence de 'Case'.(Une expression de constante est requise.WUne conversion de '|1' en '|2' ne peut pas avoir lieu dans une expression de constante.
tre la cible d'une assignation.
rieur d'une instruction 'Select Case'.
s ne sont pas valides en tant qu'indices de tableau.
thode actuelle.A'Select Case' doit se terminer par un 'End Select' correspondant.
rieur d'une instruction 'Select'.
;Tout branchement en dehors d'un 'Finally' n'est pas valide.
rande a le type '|1'.
.9'|1' est un type Enum et n'est pas une expression valide.9'|1' est un type et n'est donc pas une expression valide.@'|1' est un type classe et n'est donc pas une expression valide.C'|1' est un type structure et n'est donc pas une expression valide.C'|1' est un type interface et n'est donc pas une expression valide.
comme nom d'espace de noms racine.
: |0:Impossible d'incorporer le fichier de ressources '|1' : |0
menter '|2' pour l'interface '|3'.
cificateurs 'ReadOnly'/'WriteOnly' correspondants.
tre que dans une instruction 'With'.
er une instance de Module '|1'.
s dans '|5') sont en conflit dans l'espace de noms '|4'.
d'un 'Enum' correspondant.8'Enum' doit se terminer par un 'End Enum' correspondant.
claration attendue.
cificateurs et les attributs ne sont pas valides sur cette instruction.
tre suivi de 'Text' ou 'Binary'.
rent une clause 'As'.
Virgule ou ')' attendu.
'Sub' ou 'Function' attendu.
thode.
tre qu'une seule fois par fichier.
claration de variable membre.
rateur relationnel attendu.
claration event.&'|1' n'est pas valide dans un Declare.
'=' attendu.
d'un 'Interface' correspondant.B'Interface' doit se terminer par un 'End Interface' correspondant.
riter que d'autres classes.
en tant que '|2' dans ce |3.
finitions comportant des signatures identiques.
claration event d'interface.
s 'Delegate'.
un |1 dans une base |3.
'.' attendu.
me nom que la fonction qui la contient.
claration 'Sub', car un 'Sub' ne retourne pas de valeur.
rencient.
tre convertie en '|2'.
me instruction 'Select'.
rence.
tre de type '|1'.
rencient.
riter que d'une autre interface.
clarations dans une interface.
'|1'.
faut.
en tant que type.
e dans l'interface '|2'.
d'un 'Try' correspondant.
claration delegate.
clarer un 'Sub New', car sa classe de base '|2' n'a pas de 'Sub New' accessible qu'il est possible d'appeler sans argument.
<'|1' n'est pas accessible dans ce contexte, car il est '|2'.?'|1.|2' n'est pas accessible dans ce contexte, car il est '|3'.
rieur d'une instruction 'Try'.
'MustOverride'.
menter '|2', car il n'existe pas de |3 correspondant sur l'interface '|4'.
'|2'.
rents.A'ReDim' ne peut pas changer le nombre de dimensions d'un tableau.
%'Sub Main' est introuvable dans '|1'.
, pas de type classe, structure ou tableau.
d'un 'Property' correspondant.
sentable dans le type '|1'.
claration Const ne peut pas avoir un initialiseur de tableau.
fini pour les types '|2' et '|3'.
tre '|1' de '|2'.!'|1' n'est pas un membre de '|2'.
'|1'.
thode et ne peut pas avoir de liste d'arguments.
'|2', car il s'agit d'une instruction 'Declare'.
tre de type tableau.
'|1'.JUne instruction 'Class' doit se terminer par un 'End Class' correspondant.
fini pour le type '|2'.
avec '|1'.*Cette expression ne produit pas de valeur.
Exposant non valide.
nements.
s 'Shared'.3La clause Handles requiert une variable WithEvents.
s de |3 de base.
EOption Strict On interdit les conversions implicites de '|1' en '|2'.
'|1' est 'WriteOnly'.
'|1' est 'ReadOnly'.
finition.
thode 'Date.FromOADate'.
valuation de cette expression.
ou utiliser sa valeur.
thodes d'interface.
clarations dans les modules '|2' et '|3'.1'|1' est ambigu dans les objets application '|2'.
e 'MustInherit'.
/Option Strict On rejette toute liaison tardive.
partir de '|2'.
tre ParamArray.
nement.
finitions de types.
e comme la fin de l'interface.
s '|1'.
gative.
tres optionnels.
votre projet.NUne instruction 'Return' dans un Function ou un Get doit retourner une valeur.'Le fichier requis '|1' est introuvable.
: '|2'
cificateur de type unique.
s avec des limites explicites.
d'un '#Region' correspondant.LL'instruction '#Region' doit se terminer par un '#End Region' correspondant.
re de type.
en tant qu'expression.
: |1 - |2
tre Commande.
bogage.
nements.
tre Commande.
a la valeur 'Nothing'.
es dans le runtime.8Impossible d'obtenir des informations de type pour '|1'.
'|1'.
rieures.
faut.
s d'E/S sur fichier sont disponibles dans l'espace de noms 'Microsoft.VisualBasic'.
la place.
s graphiques en tant que 'System.Drawing.Graphics.DrawLine'.
e '|1' dans la DLL '|2' : |0
.NET.
e par cette classe.
de nouveau.
es 'Default'.XLes initialiseurs sur les membres de structures ne sont valides que pour les constantes.
e dans un assembly.
e '|1'.
en tant que module.
rence.
cifier des modificateurs de tableau sur la variable et son type.
ralement d'un fichier 'Microsoft.VisualBasic.dll' incompatible.
'|2' dans |3 '|4'.
en tant qu'attribut, car ce n'est pas une classe.
rencer '|1', car il ne s'agit pas d'un assembly.
me projet.
e.%'|1' n'est pas valide dans un module.&'|1' n'est valide que dans une classe.
'Assembly' ou 'Module' attendu.
.:Virgule, ')' ou continuation d'expression valide attendue.
re instruction d'une ligne.
'MyBase.New' ou 'MyClass.New', car la classe de base '|1' de '|2' a plusieurs 'Sub New' accessibles qu'il est possible d'appeler sans argument.
'Friend' et n'est pas accessible en dehors du projet qui le contient.
me classe.
e 'MustInherit'.
: '|2'
'Shadows'.RD'autres langages peuvent permettre la substitution de membres Friend Overridable.
tre identiques.
faut.
faut.
nement.
VS_VERSION_INFO
StringFileInfo
040C04B0
CompanyName
Microsoft Corpora
FileDescription
ApiSet Stub DLL
FileVersion
6.2.9200
InternalName
apisetstu
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
apisetstu
ProductName
io .NET
ProductVersion
6.2.9200
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


qep3B9WOJEjqG1.exe, PID: 928, Parent PID: 1512
Full Path: C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
Command Line: "C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe"
qep3B9WOJEjqG1.exe, PID: 1584, Parent PID: 928
Full Path: C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
Command Line: "C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe"
services.exe, PID: 464, Parent PID: 376
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
dafpanes.exe, PID: 1844, Parent PID: 464
Full Path: C:\Windows\SysWOW64\dafpanes.exe
Command Line: "C:\Windows\SysWOW64\dafpanes.exe"
dafpanes.exe, PID: 1544, Parent PID: 1844
Full Path: C:\Windows\SysWOW64\dafpanes.exe
Command Line: "C:\Windows\SysWOW64\dafpanes.exe"

Hosts

Direct IP Country Name
Y 69.170.237.82 [VT] United States
Y 181.164.25.28 [VT] Argentina

TCP

Source Source Port Destination Destination Port
192.168.35.24 49184 181.164.25.28 443
192.168.35.24 49183 69.170.237.82 20

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name dafpanes.exe
Associated Filenames
C:\Windows\SysWOW64\dafpanes.exe
File Size 278528 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 05f2b36b1b902f5d55b48af6bfb9714c
SHA1 ba59b4b7b45d0eec8d5a48ca1b6694775eb75311
SHA256 4a2b2437814089607b287659cca2f9d82d5b7e3b5bd745f0c1c225cffd3dd83b
CRC32 BEC7CD43
Ssdeep 3072:K0GSuyj6pb6MK0K3LmABJU7xX8i9CgkvD40+q3cWTrNdas60YvZdLqk5O:YSuM6pbnHK3aAQ7y0+c0Rps0kdL5
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB -----END PUBLIC KEY-----
address
69.170.237.82:20
181.164.25.28:443
190.248.133.18:443
97.121.198.2:8080
189.154.100.228:443
51.255.50.164:8080
192.163.199.254:8080
23.254.203.51:8080
72.47.248.48:8080
144.76.117.247:8080
201.156.42.238:443
190.186.110.202:22
117.4.245.5:21
192.155.90.90:7080
75.110.229.201:443
70.30.252.174:8090
208.189.3.60:53
219.94.254.93:8080
186.4.127.72:995
66.228.228.211:143
69.163.33.82:8080
116.58.87.8:80
104.200.80.44:20
66.209.69.165:443
74.45.170.110:80
47.157.230.41:8080
74.62.52.222:20
138.68.139.199:443
12.6.183.21:8080
117.218.253.157:8080
201.239.126.253:21
5.9.128.163:8080
159.65.76.245:443
197.83.251.252:22
190.117.226.104:8080
201.143.10.67:143
165.227.213.173:8080
187.145.0.129:7080
201.203.187.56:465
109.104.79.48:8080
73.141.99.157:21
185.86.148.222:8080
187.146.255.151:8443
210.2.86.72:8080
187.149.41.221:8080
24.194.252.25:80
189.173.176.115:443
98.238.127.216:21
190.182.161.7:8080
181.56.165.97:53
189.170.39.188:8080
92.48.118.27:8080
209.243.21.172:22
186.72.205.234:22
Download
Type Extracted PE Image: 32-bit executable
Size 20992 bytes
Virtual Address 0x220000
Process qep3B9WOJEjqG1.exe
PID 928
Path C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
MD5 d99c9b0c88574a7e8beede544df1b7fc
SHA1 cda2cb07e8da083809c8fcc2a302866b366c4dc5
SHA256 dcf6212c726bc990be3be79e60ed7d71469638456ffb0a77138719e6524b4c6a
CRC32 7842786A
Ssdeep 384:zZA8/qa4CuEWbqGd/QF28G5Hq+e5EhCSs79Xidc:zL/PSbqGdU5rSs7did
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 78336 bytes
Virtual Address 0x470000
Process qep3B9WOJEjqG1.exe
PID 928
Path C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
MD5 e180547cc8c7facb4a4b799dc0feba6e
SHA1 a25a71741e8e993f36be3aea124e5b9d9b0a87ab
SHA256 5798217c452c81a241ba21cf9175a68fcfc9c8a59bea452df4f287fab22dd457
CRC32 D3FD6AB3
Ssdeep 1536:bewR0wpM2mEvvNOPiWfBy3MWaf4IzWQ+3OW86d2CdUZLHrbzmJt9ssAfGWG:am0UpV30KWf4fws3vd2CCZLHnzWcRu
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Emotet Payload: 32-bit executable
Size 82432 bytes
Virtual Address 0x470000
Process qep3B9WOJEjqG1.exe
PID 928
Path C:\Users\user\AppData\Local\Temp\qep3B9WOJEjqG1.exe
MD5 748f93b432b95fbce8dc365a1a15a1de
SHA1 57855581ce607a2958e6ddd6744d28593a31a8a5
SHA256 cc5345368c61842f0a824b7090f51adcf71c0c11de588b85a47cc56fe0b8303f
CRC32 48A14579
Ssdeep 1536:JwR0wpM2mEvvNOPiWfBy3MWaf4IzWQ+3OW86d2CdUZLHrbzmJt9ssAfGWG:Jm0UpV30KWf4fws3vd2CCZLHnzWcRu
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 3.657 seconds )

  • 1.707 CAPE
  • 0.899 BehaviorAnalysis
  • 0.308 Static
  • 0.235 TargetInfo
  • 0.225 Dropped
  • 0.16 TrID
  • 0.067 Strings
  • 0.037 Deduplicate
  • 0.008 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.003 config_decoder
  • 0.002 Debug

Signatures ( 0.431 seconds )

  • 0.052 stealth_timeout
  • 0.039 api_spamming
  • 0.037 decoy_document
  • 0.031 antiav_detectreg
  • 0.026 injection_createremotethread
  • 0.025 InjectionCreateRemoteThread
  • 0.023 Doppelganging
  • 0.02 injection_runpe
  • 0.019 InjectionProcessHollowing
  • 0.018 InjectionInterProcess
  • 0.012 PlugX
  • 0.012 infostealer_ftp
  • 0.007 antiav_detectfile
  • 0.007 infostealer_im
  • 0.006 persistence_autorun
  • 0.006 antianalysis_detectreg
  • 0.005 infostealer_mail
  • 0.004 antivm_generic_disk
  • 0.004 infostealer_bitcoin
  • 0.004 ransomware_files
  • 0.003 mimics_filetime
  • 0.003 virus
  • 0.003 antianalysis_detectfile
  • 0.003 antivm_vbox_files
  • 0.003 antivm_vbox_keys
  • 0.003 browser_security
  • 0.003 ransomware_extensions
  • 0.002 tinba_behavior
  • 0.002 bootkit
  • 0.002 rat_nanocore
  • 0.002 stealth_file
  • 0.002 betabot_behavior
  • 0.002 antivm_generic_scsi
  • 0.002 reads_self
  • 0.002 cerber_behavior
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 disables_browser_warn
  • 0.001 lsass_credential_dumping
  • 0.001 malicious_dynamic_function_loading
  • 0.001 hawkeye_behavior
  • 0.001 exploit_getbasekerneladdress
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 process_interest
  • 0.001 antivm_vbox_libs
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 infostealer_browser_password
  • 0.001 ursnif_behavior
  • 0.001 dynamic_function_loading
  • 0.001 vawtrak_behavior
  • 0.001 kovter_behavior
  • 0.001 hancitor_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 modify_uac_prompt
  • 0.001 recon_fingerprint

Reporting ( 0.025 seconds )

  • 0.025 CompressResults
Task ID 36432
Mongo ID 5c61d1c4f284884f68b2db01
Cuckoo release 1.3-CAPE
Delete